" hipaa compliance Archives - LuxSci

Posts Tagged ‘hipaa compliance’

Dental Practice Marketing & HIPAA

Thursday, September 29th, 2022

Dental practices face enormous challenges when it comes to acquiring new patients and expanding their practices. Marketing is all but essential to make sure your practice thrives. This article discusses how dental practices can thrive using personalized marketing without running afoul of HIPAA regulations.

Dental Practice Marketing Today

HITRUSTMarketing is essential to growing any business successfully, but operating in highly regulated spaces such as dentistry, there are serious compliance considerations. Whether responding to an online patient review or trying to increase patient engagement through marketing campaigns, misunderstanding HIPAA can lead to patient privacy breaches that place your finances and reputation at risk.

The Health Insurance Portability and Accountability Act (HIPAA), which controls what and when patient information may be shared for marketing purposes, was enacted before the electronic age. As a result, it can be challenging to find information regarding appropriate marketing practices using modern social and software technologies.

Most Common Misunderstandings of HIPAA

HIPAA is a complicated set of rules and regulations. When it comes to patient marketing, there are many misconceptions about what is and isn’t allowed. Here we unpack a few of the most common misunderstandings as they apply to HIPAA-compliant marketing.

1. As long as patient consent is acquired, HIPAA doesn’t matter

Acquiring patient consent does not remove the organization’s obligation to secure protected health information (PHI) under the law. If PHI is improperly accessed, it is a breach and can lead to severe consequences.

2. Marketing emails do not need encryption

Many marketing emails imply a relationship between patients and providers and, as such, can often be classified as PHI. HIPAA regulations require PHI to be encrypted in transit and at rest.

3. Personalizing marketing emails is a HIPAA violation

Marketing emails can be personalized as long as the proper safeguards and precautions are in place to protect patient privacy and meet compliance requirements.

The Power of Marketing Personalization for Dental Practices

When using a HIPAA-compliant email marketing solution, you can leverage the data and information you have about your patients to increase engagement.

personalization stats

Improve marketing results and drive better patient outcomes by connecting to your patients with messaging that matters to them. Using PHI to segment and personalize emails delivers results for both your practice and your patients.

A Cautionary Tale

In May 2022, Dr. U. Phillip Igbinadolor, D.M.D. & Associates, a dental practice with offices in Charlotte and Monroe, North Carolina, allegedly impermissibly disclosed a patient’s protected health information on a webpage in response to a negative online review. The Office for Civil Rights imposed a $50,000 civil penalty.

Marketing Directly Impacts Practice Success

In the last decade, patients have significantly changed how they seek healthcare. Most patients now consult digital channels as a primary source of information when searching for new treatments and providers. The information they find via internet searches, social media, and review websites substantially influences their choice of provider. For dental marketers, this change has required a significant adjustment to their marketing strategies.online marketing stats

The Answer is a Fully Compliant Marketing Communications Solution

Starting a new marketing program requires the right tools. Do not choose a solution that prohibits you from using PHI in a way that is fully compliant.

quasi compliance

How to Evaluate Secure Communications Solutions for Healthcare

Choosing the right email encryption solution is especially critical for dental organizations. HIPAA regulations, PHI risk, and improved patient engagement are absolute priorities. Not to mention the need for software that offers ease of use, simple integration, and high-level support. 

Meet Compliance Requirements for Email

LuxSci’s Secure Connector adds a layer of protection to Google Workspace and Microsoft 365 email accounts. Don’t leave your organization’s security up to employees. Prevent breaches by securing sensitive data by default. LuxSci is HITRUST certified and can meet compliance requirements for HIPAA, SOC, GDPR, and more.

evaluation details

Conclusion: Online Marketing Isn’t Optional

Marketing your dental practice is no longer as simple as creating a listing in a directory or sending mail to potential patients. To remain competitive, practices must adopt online advertising techniques that offer a solid return on investment. The perils of possible HIPAA violations may dissuade some from taking the leap- but by properly vetting vendors, training staff, and selecting the right tools, it’s possible to engage patients and achieve results.

Want to learn more about how to market your practice online without violating HIPAA? Join our free webinar on October 19th.

healthcare marketing webinar sign up

LuxSci and Compliancy Group Work Together to Transform Healthcare Communications

Wednesday, September 14th, 2022

Boston, MA- September 2022 – LuxSci, a provider of HIPAA-compliant email services, is pleased to announce a new partnership with Compliancy Group, a leading software solution for healthcare compliance. By partnering with LuxSci, Compliancy Group can offer best-in-class email security solutions to close technology gaps identified by their proprietary compliance platform.

“The way healthcare organizations communicate with patients is constantly evolving. These organizations often fail to realize that HIPAA regulates the ways in which providers can communicate with patients and the tools that they are permitted to use. As a forward-thinking email service provider, LuxSci has taken the steps required to meet HIPAA’s communication standards.” Kelly Koch, Director of Dental Relations, Compliancy Group.

The Covid-19 pandemic forced healthcare organizations to adopt new digital technologies quickly. Many turned to Compliancy Group to navigate the complex HIPAA compliance questions associated with new technologies like telehealth. Likewise, providers rapidly implemented digital tools, like LuxSci’s suite of HIPAA-compliant email solutions, to engage patients. The partnership allows LuxSci and Compliancy Group to help healthcare organizations address the difficult compliance questions that arise during digital transformation.

“Compliancy Group offers a vital service to healthcare organizations and vendors in these rapidly changing times. Their comprehensive compliance platform allows providers to navigate this heavily regulated environment with the confidence that they are complying with HIPAA. LuxSci is proud to partner with Compliancy Group to help their customers secure email communications and engage patients with HIPAA-compliant technology.” Heather Clark, Vice President of Strategic Partnerships, LuxSci.

Compliancy Group enables healthcare organizations and vendors serving the healthcare industry to achieve HIPAA compliance through an easy-to-use software platform and live guided coaching. The Guard, its proprietary compliance platform, covers all the necessary parts of the HIPAA regulation to protect organizations in case of an audit. Compliancy Group awards clients the HIPAA Seal of Compliance upon successful completion. The Seal can be used in marketing and proves they are dedicated to protecting patient information and have completed the steps required to satisfy the law.

LuxSci provides secure email solutions to help healthcare organizations meet compliance requirements and protect patient data. LuxSci’s SecureLine encryption technology helps healthcare providers reduce risk profiles while providing easy-to-use email tools. LuxSci’s top-rated US-based support team goes above and beyond to help organizations stay protected.

Learn more about healthcare marketing by attending our joint webinar on October 19th.

healthcare marketing webinar sign up

Is Medical Billing Information Protected Under HIPAA?

Tuesday, August 9th, 2022

Electronic medical billing requires access to protected health information to accurately bill and receive payment for medical treatments. While not covered entities, medical billing companies are often contracted as business associates and fall under HIPAA regulations.

Title II of HIPAA applies directly to medical billing companies. It dictates the proper uses and disclosures of protected health information (PHI) and simplifies claims and billing processing.

electronic medical billing

What is Protected Health Information (PHI)?

Protected health information is “individually identifiable” health information. It specifically refers to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

As listed in item three, payment-related information tied to healthcare provisioning is protected data under HIPAA. This can include information about insurance carriers and payments, billing statements, receipts, credit card numbers, bank accounts, and other financial information.

To be classified as PHI, payment-related information must be tied to an individual identifier. For example, a medical bill with a patient’s address can be tied back to a specific individual. These identifiers can sometimes be quite indirect. There are 18 types of identifiers for an individual (listed below). Any of one of these, combined with information on healthcare payments, would constitute PHI:

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

The Risks to Medical Billing Companies

It should be evident that medical billing companies work with a lot of PHI. As such, they must take steps to protect that information under HIPAA regulations.

Third-Party Risk

Many healthcare systems contract medical billing companies to process claims and bill patients and insurance companies. These companies can present significant risks to protected health information if not adequately vetted. All third-party companies that handle PHI on behalf of a covered entity must sign a business associate agreement. This document discusses how sensitive medical billing information will be stored, secured, and transmitted. It is also essential to ensure that the billing companies understand their obligations under the privacy and security rules and have implemented the proper physical, technical, administrative, and organizational standards. This can be verified via security audits and assessments.

Third parties like medical billing companies are often targets for cyberattacks. From 2020 to 2021, cyberattacks on business associates increased by 18%. The rich trove of financial and health data they have is often more comprehensive and less secure than a hospital’s electronic health records system. Unlike covered entities who frequently work under HIPAA regulations, third parties may not wholly understand it. As a result, they may fail to take the technical steps needed to secure sensitive data.

How to protect electronic medical billing information

Like many healthcare organizations, financial institutions are also undergoing digital transformation and are moving to digitize healthcare payment processes. Digitization is an effective way to reduce payment times and improve patient satisfaction. However, it also introduces risk. Digital systems that contain healthcare billing information must implement the proper safeguards, including:

  • Organizational requirements that describe how policies and procedures will be implemented and obligations concerning business associate contracts.
  • Administrative requirements related to how employees access PHI.
  • Physical safeguards that encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backups and storage, and the destruction of obsolete data.
  • Technical safeguards that ensure the security of data transmitted over an open electronic network and the storage of that data.

Protecting Electronic Medical Billing Information In Databases

Digital billing information that is stored in electronic databases or online web portals must be secured in the following ways:

  • Using a secure and HIPAA-compliant web and database host.
  • Limiting access to only authorized users.
  • Requiring unique logins and complex passwords with multifactor authentication to access ePHI.
  • Encrypting the contents of the database so they cannot be accessed if there is a breach.
  • Making regular backups of the database and storing them independently of the main system.

Sending Healthcare Billing Notifications Digitally

Many people now prefer to receive electronic medical billing notifications via email. A survey of 3,000 US consumers found that 85% are already using e-billing, and 47.6% find it is faster to pay bills electronically. However, using email, text messaging, or other digital communication forms introduces new risks and requires remediation to protect ePHI in transmission. These safeguards include:

  • Encrypting messages in transit
  • Authenticating user identities and sending domains
  • Requiring unique user logins and complex passwords
  • Protecting against threats with anti-virus software, email filtering, and other malicious scanning tools.
  • Creating audit logs and reviewing them for suspicious activities.

Services like LuxSci’s Secure High Volume Email can integrate with existing systems to send automated encrypted billing notifications via API or SMTP.

Is Microsoft Teams HIPAA-Compliant?

Tuesday, July 12th, 2022

Microsoft Teams is a unified communication platform with workplace chat, video conferencing, and file-sharing tools. It’s a popular program for internal workplace communications. However, healthcare organizations may wonder if they can use it while complying with HIPAA.

Microsoft Teams is designed to work with Microsoft 365 and additional Microsoft products. As readers of this blog may know, Microsoft 365 email products can be used in a HIPAA-compliant manner, but they require additional security configurations to meet compliance requirements. In the same way, organizations must take additional steps to secure Microsoft Teams.

microsoft teams hipaa-compliant

Business Associate Agreement

As we have discussed before, a business associate agreement (BAA) is required for any vendor that will process ePHI on a company’s behalf. These agreements outline how ePHI will be used, what control measures will be in place, and where the responsibilities lie between the parties.

BAAs are absolutely necessary for HIPAA compliance. Even if Microsoft Teams is correctly configured with the necessary security controls, it would still violate HIPAA if a signed BAA was not in place. If an organization already has a BAA with Microsoft, they should confirm that using Teams is allowed before implementing it. This means that free Microsoft Teams accounts are not HIPAA-compliant.

Configure Security Settings

As mentioned above, using Microsoft Teams in a HIPAA-compliant manner involves more than signing the BAA and downloading the application. The organization must comply with the HIPAA Security Rule, which involves:

  • Ensuring the confidentiality, integrity, and availability of all electronic PHI.
  • Detecting and safeguarding against anticipated threats to the security of the information.
  • Protecting against anticipated, impermissible uses or disclosures.
  • Certifying compliance by the workforce.

Covered entities are responsible for putting the proper controls and reporting mechanisms in place to protect PHI. That includes employing the various safeguards available in the Microsoft Teams platform, such as:

  • Implementing user access controls
  • Requiring multifactor authentication and single sign-on (SSO) for user logins
  • Encrypting data in transit and at rest
  • Tracking and investigating specific activities using audit logs

Note that some features of Microsoft Teams may not be available when the platform is configured for compliance. It’s up to an organization’s IT and compliance teams to implement and enforce the proper technical controls.

Create Policies and Educate Users

Just because Microsoft Teams can be used to transmit ePHI, it doesn’t mean that’s always the best choice. Administrators should create policies that discuss how and when ePHI can be transmitted through Teams. For example, to reduce risk, it may be wise to keep heavy ePHI items like lab results out of the messaging application.

In addition, organizations should determine which devices employees can use Teams on. If allowed to install Teams on their personal devices, the IT and compliance teams must develop policies and institute controls that can remotely wipe and disable personal devices if lost or stolen to prevent unauthorized ePHI access.

Microsoft Teams can make intra-office communication much more straightforward, but it’s essential to determine what is and isn’t allowed before rolling it out to employees. EPHI is very nuanced, and to protect data, it’s essential to thoroughly understand the risks involved with a new communications platform.

Improve Access to Preventative Healthcare with Email

Tuesday, March 22nd, 2022

Next up in our series on patient education and engagement, we look at ways to encourage preventative healthcare with digital technologies.


Vaccines and Flu Shot Information

It’s challenging to encourage individuals to get a yearly flu shot. There are many reasons that people do not get annual flu shots. Some of these reasons include:

  • not enough time
  • don’t think they need one
  • don’t know where or when to get one

Accordingly, one way to expand outreach efforts is with a series of personalized and educational emails. Using a patient database, it’s easy to identify the patients who are at the highest risk of suffering severe consequences from contracting the flu. Subsequently, the marketing team can put together a series of educational emails that address some of the common questions including:

  • why flu shots are important to public health
  • how to schedule a flu shot appointment
  • promotions to incentivize populations with lower vaccination rates

In addition, patient education can also help combat vaccine misinformation. The Covid-19 vaccine rollout represents a good example. The lack of compelling information from official sources led people to the Internet and social media to search for information about the vaccines. Despite local and national government efforts, the information void was filled by misinformation. Reaching out to patients before they encountered misinformation could have helped increase trust and increased vaccination rates.

Preventative Healthcare Screenings and Testings

Preventative healthcare screenings for cancer, blood pressure, and diabetes are recommended on a yearly basis. Identifying these conditions and treating them early on can drastically improve health outcomes. However, many people do not know when to get screened. Many tests do not apply until patients reach a certain age bracket or if they have certain risk factors. Email campaigns can target patients who meet the criteria for a preventative screening.

Next, let’s look at another example. Breast cancer screenings are recommended for women when they reach 40 years old. A healthcare marketer could create an email campaign to let eligible patients know how to schedule a mammogram. This campaign could provide educational information on why screenings are important, what patients can expect at their mammogram, and how to schedule an appointment. Promotional tactics can also encourage more signups. Early detection of cancer saves lives, and it’s incredibly important to conduct these screenings.

Appointment Scheduling

Furthermore, it is important that patients come in for annual appointments. These appointments are where many screening procedures occur. Skipping an annual appointment can mean missing the early symptoms of a serious health condition. Email campaigns can help close care gaps and encourage patients who have missed appointments to reschedule. Removing barriers to care and increasing the number of communication touch points can improve patient engagement.

The Power of Personalization in Preventative Healthcare

Finally, emails are even more powerful when they are personalized using ePHI. Marketers can use audience segmentation to break down patient populations into distinct groups and create relevant messaging. However, to segment and personalize email marketing messages with ePHI, the organization must use a HIPAA-compliant marketing solution. Read our other blogs for more information on selecting a HIPAA-compliant email marketing platform.

By targeting distinct patient groups, marketing teams can create highly relevant messages that increase patient engagement. Let’s take the earlier breast cancer screening campaign example. This campaign is particularly relevant to women in their 40s and 50s who may be unfamiliar with the screening process and how to schedule a mammogram. If this campaign was sent to an entire patient population, it would be confusing and annoying. Young women may mistakenly believe they needed to get screened, and men would be annoyed by the unnecessary email outreach.

Targeting the right population at the right time with the right message is key to marketing success. Using patient data in a safe way allows the marketing team to create highly personalized campaigns that help patients access preventative healthcare.


To conclude, educational email campaigns can encourage patients to access preventative care that they may not know is available. To achieve the best results, marketers can use segmentation and personalization to create highly targeted email campaigns to help patients achieve desired health outcomes. For more information on creating HIPAA-compliant email marketing campaigns, check out LuxSci’s Secure Marketing tool.